Solved: ACL confusion

mchance · ‎05-17-2018

I have a /23 subnet that I use for guest network access. I created an ACL to allow DNS to the DNS server and 80 and 443 to the Unifi controller for the captive portal.

This is the ACL I put in:

ip access-list extended GUEST_WIFI
permit tcp host 172.18.254.0 0.0.1.255 172.16.110.29 eq domain
permit udp host 172.18.254.0 0.0.1.255 172.16.110.29 eq domain
permit tcp host 172.18.254.0 0.0.1.255 172.16.110.61 eq 443
permit tcp host 172.18.254.0 0.0.1.255 172.16.110.61 eq www
deny ip 172.18.254.0 0.0.1.255 172.16.0.0 0.0.255.255
deny ip 172.18.254.0 0.0.1.255 192.168.105.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 192.168.0.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.1.2.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.1.1.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.4.1.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.0.0.0 0.0.0.255
permit ip any any

This is the result of the sho ip access-lists

Extended IP access list GUEST_WIFI
10 permit tcp host 172.18.254.0 0.0.1.226 172.16.110.29 eq domain
20 permit udp host 172.18.254.0 0.0.1.226 172.16.110.29 eq domain
30 permit tcp host 172.18.254.0 0.0.1.194 172.16.110.61 eq 443
40 permit tcp host 172.18.254.0 0.0.1.194 172.16.110.61 eq www
50 deny ip 172.18.254.0 0.0.1.255 172.16.0.0 0.0.255.255
60 deny ip 172.18.254.0 0.0.1.255 192.168.105.0 0.0.0.255
70 deny ip 172.18.254.0 0.0.1.255 192.168.0.0 0.0.0.255
80 deny ip 172.18.254.0 0.0.1.255 10.1.2.0 0.0.0.255
90 deny ip 172.18.254.0 0.0.1.255 10.1.1.0 0.0.0.255
100 deny ip 172.18.254.0 0.0.1.255 10.4.1.0 0.0.0.255
110 deny ip 172.18.254.0 0.0.1.255 10.0.0.0 0.0.0.255
120 permit ip any any

What is going with the wildcard masks on the first 2 lines? Why did they change? I tried this on a few other switches and they all did it. What is going on?

Julio E. Moisa · ‎05-17-2018

Hi

check the following config:

Correct

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit udp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq 443
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq www

or

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 172.16.110.29 0.0.0.0 eq domain
permit udp 172.18.254.0 0.0.1.255 172.16.110.29 0.0.0.0 eq domain
permit tcp 172.18.254.0 0.0.1.255 172.16.110.61 0.0.0.0 eq 443
permit tcp 172.18.254.0 0.0.1.255 172.16.110.61 0.0.0.0 eq www

A host represents a /32 into an ACL you can set up for host:

172.16.110.29 0.0.0.0 wildcard 0.0.0.0 = subnet mask 255.255.255.255

or

host 172.16.110.29 host = /32

Host = one IP only

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-17-2018

Hi

The problem is the "host" word, you are including a subnet not a host. Host is equal to /32 only.

Remove the "host"

ip access-list extended GUEST_WIFI
no permit tcp host 172.18.254.0 0.0.1.255 172.16.110.29 eq domain
no permit udp host 172.18.254.0 0.0.1.255 172.16.110.29 eq domain
no permit tcp host 172.18.254.0 0.0.1.255 172.16.110.61 eq 443
no permit tcp host 172.18.254.0 0.0.1.255 172.16.110.61 eq www

Correct

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit udp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq 443
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq www

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

mchance · ‎05-17-2018

Oh. So what shout I put instead of host?

Julio E. Moisa · ‎05-17-2018

Hi

check the following config:

Correct

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit udp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq 443
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq www

or

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 172.16.110.29 0.0.0.0 eq domain
permit udp 172.18.254.0 0.0.1.255 172.16.110.29 0.0.0.0 eq domain
permit tcp 172.18.254.0 0.0.1.255 172.16.110.61 0.0.0.0 eq 443
permit tcp 172.18.254.0 0.0.1.255 172.16.110.61 0.0.0.0 eq www

A host represents a /32 into an ACL you can set up for host:

172.16.110.29 0.0.0.0 wildcard 0.0.0.0 = subnet mask 255.255.255.255

or

host 172.16.110.29 host = /32

Host = one IP only

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

mchance · ‎05-17-2018

That was it. Thanks for that.

ip access-list extended GUEST_WIFI
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit udp 172.18.254.0 0.0.1.255 host 172.16.110.29 eq domain
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq 443
permit tcp 172.18.254.0 0.0.1.255 host 172.16.110.61 eq www
deny ip 172.18.254.0 0.0.1.255 172.16.0.0 0.0.255.255
deny ip 172.18.254.0 0.0.1.255 192.168.105.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 192.168.0.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.1.2.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.1.1.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.4.1.0 0.0.0.255
deny ip 172.18.254.0 0.0.1.255 10.0.0.0 0.0.0.255
permit ip any any